In accordance with data protection legislation, joint controllers means two controllers who determine the purposes and means of processing data. Joint controllers agree on a system and transparent manner on the basis of which each takes responsibility for the supervision of compliance with data protection obligations in their assigned areas.
The Ministry for Foreign Affairs is joint controller with the following systems and actors:
- Government’s shared information systems
- Shared customer relationship management system KasvuCRM
Government’s shared information systems
The Ministry for Foreign Affairs and the Prime Minister's Office are joint controllers when processing personal data in the government’s shared information systems.
The Foreign Ministry’s shared information systems are:
- case management systems for storing letters from citizens, requests for information and other communications: VAHVA (deployment in summer 2021), Aski (document drafting system), Arkki (online archive), UHKUVA (electronic photo archive), separate document registers maintained by the Foreign Service, and EU affairs case management system EUTORI
- the Government intranet Kampus
- the Government’s project management tool Gateway to Information on Government Projects
- the Government electronic decision support system PTJ
- the Government's service order and management system Virkku.
The Government has determined the responsibilities of each joint controller. The Ministry for Foreign Affairs and the Prime Minister's Office are responsible for ensuring that your personal data are processed in accordance with the European Union's General Data Protection Regulation (GDPR) and applicable national legislation. Regardless of joint controllership, a legal basis must exist for the disclosure of personal data between the Ministry for Foreign Affairs and the Prime Minister's Office.
In the Ministry for Foreign Affairs, we take responsibility for our own official activities, including the accuracy of your data and the realisation of your rights as a data subject. The Prime Minister's Office is responsible for the following data protection issues in the shared information systems:
- ensuring that the technical solutions have a legal basis for processing personal data in accordance with the data protection legislation
- ensuring an appropriate level of security and guaranteeing the confidentiality of services
- ensuring that contracts with processors have been concluded in accordance with the General Data Protection Regulation
- ensuring that the systems comply with data protection principles
- carrying out the necessary data protection impact assessments.
You may exercise your data protection rights in relation to both joint controllers.
- For data protection contacts at the Prime Minister's OfficeLink to another website.(Opens New Window)
Shared customer relationship management system KasvuCRM
The shared customer relationship management system KasvuCRM is a joint system, owned by the Ministry of Economic Affairs and Employment. It is used by joint controllers when handling their current and potential customer relations and marketing matters to promote companies’ business activities.
The Ministry of Economic Affairs and Employment is responsible for the system’s overall operation and for the technical interface necessary to store, connect, disclose and process data, as well as for the usability of the system and the integrity, protection and storage of data in it.
Information processed in the system is mainly public data related to companies, available from:
- the National customer data resource for business services
- the data subject
- the data subject, collected by a third party in connection with events
- public sources of information.
Personal data stored in the system is retained only as long as and to the extent that is necessary and permitted by law in relation to the original or compatible purposes, for which they have been collected. As a rule, personal data is retained for five years at most from the date on which the data was processed last for service provision purposes. However, data is not deleted if it is necessary to retain the information for the execution of a statutory duty or for processing a matter that has been initiated.
Each joint controller handles the data that they have saved and is responsible that the data is correct and up to date.
For matters relating to processing of personal data, customers can contact joint controllers or data protection officers at the following contact points:
Ministry for Foreign Affairs
Finnish Safety and Chemicals Agency
Innovaatiorahoituskeskus Business Finland,
Business ID: 0512696-4
Business Finland Ltd, Business ID 2725690–3
Information about you that we are entitled to store
The following information about your company's contact persons and authorities can be stored in the system; all information mentioned below is not necessarily stored of each person :
- Identification data: name, home country, domicile, street address, email address, phone number and data subject’s job title and role in the company
- Additional information: Nickname, name spelled in the native language, address and job title, working country, branch of industry, capital investment profile, category of expertise, job description, other description
- Information about guidance relating to business activities or other services and the service recipient’s identification data
- Changes to the above-mentioned data.
In addition, notes and other information necessary for the good management of customer relations can be processed in the system. These may include information about participation in past or future events, requests for contact, or information relating to ordered services and their delivery and invoicing.
Why we process your data
As joint controllers we process personal data case by case based on one of the following:
- Processing is necessary for the preparation or performance of a contract to which the data subject is party.
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Processing is necessary for the performance of a task carried out in the public interest or for the exercise of official authority vested in the controller.
- Processing is necessary for the purposes of the legitimate interests of the controller (only in cases where this is considered to be also in the interests of the data subject).
The Ministry for Foreign Affairs processes personal data to be able to carry out its statutory duties and to perform tasks carried out in the public interest. The processing is based on Article 6, paragraph 1, points c and e of the General Data Protection Regulation (GDPR) (EU 2016/679).
Provisions on the tasks of the Ministry for Foreign Affairs and Finland's missions abroad are laid down, for example, in:
- the Act on the Foreign Service
- the Government Decree on the Foreign Service
- the Act on customer data systems for business services
Transfer of personal data
We do not disclose personal data on a regular basis.
In accordance with the Act on customer data systems for business services (293/2017), personal data can be disclosed not only to the joint controllers but also to the Ministry of Agriculture and Forestry and the Agency for Rural Affairs.
Personal data is not disclosed to other than the joint controllers except in the following cases
Exceptional situations :
- Obligated by law or an official order
- By court order
Personal data will not be transferred outside the European Union or European Economic Area.